Project

General

Profile

Feature #5007

CertificateBundle fetcher

Added by Junxiao Shi over 1 year ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
3.00 h

Description

Implement CertificateBundle fetcher API, as specified in #2766-30.

This issue includes these types:

  • CertBundleFetcher

Related issues

Blocked by ndn-cxx - Feature #5004: CertificateBundle encoding and decodingIn ProgressJeremy Clark

Actions
#1

Updated by Junxiao Shi over 1 year ago

  • Blocked by Feature #5004: CertificateBundle encoding and decoding added
#2

Updated by Alex Afanasyev 8 months ago

  • Tags changed from CertificateBundle to CertificateBundle, security
#3

Updated by Jeremy Clark 7 months ago

Could you give an example of how an application would call the CertificateBundleFetcher?

Specifically, I don't understand this:

Upon receiving a certificate request, this fetcher retrieves a certificate bundle registered by
addBundle() if matched, or deriveCertBundleName(certName) otherwise.

What does it mean for it to receive a certificate request?

This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder, and inserts decoded certificates into the CertificateStorage.

For this part, does it just insert the certificates into the unverified cache?

#4

Updated by Jeremy Clark 7 months ago

Am I correct in my understanding that the CertifcateBundleFetcher uses the SegmentFetcher internally to fetch the bundle? If so, how does the application pass a reference to the validator?

#5

Updated by Alex Afanasyev 7 months ago

You may be misunderstanding this issue or I didn't correctly understand your question. CertBundleFetcher would be similar to CertificateFetcherFromNetwork, just instead of fetching a single cert, it would try to fetch the bundle. But overall, it would use the same interface.

#6

Updated by Jeremy Clark 7 months ago

Per the design posted here: (https://redmine.named-data.net/issues/2766#note-30)

Retrieval of a single certificate bundle should be handled by SegmentFetcher.
This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder, and inserts decoded certificates into the CertificateStorage.

This is the reason I've written the Segementer and added in-order mode to the SegmentFetcher. Since a cert bundle may be made up of multiple segments, the SegmentFetcher is used here. My question is whether the SegmentFetcher exists internally and the API design is missing where the calling application can pass a reference to the Validator, or if it exists as I think it does and I'm just missing something about how it's constructed, or if I'm completely misunderstanding and the CertBundleFetcher does not use the SegementFetcher internally.

#7

Updated by Alex Afanasyev 7 months ago

The fetcher instance should be created and stored inside the ValidationState instance (the one you get as a parameter inside the CertificateFetcher interface). ValidationState supports TagHost interface.

Actually, we already have CertificateBundleFetcher that uses BundleNameTag. If you need to preserve the instance of the fetcher, you either rename the tag and store both (name + fetcher) or create a new tag (I prefer having a single tag).

#8

Updated by Jeremy Clark 7 months ago

I see where I was misunderstanding before. But I'm still unsure how to create a SegementFetcher instance inside the ValidationState instance without some access to a Validator reference necessary for the SegementFetcher constructor.

#9

Updated by Alex Afanasyev 7 months ago

Ehm. This is not the place to do the validation, the job here is simply to fetch stuff. The certificate will be validated by the higher-level logic.

#10

Updated by Jeremy Clark 7 months ago

What do you suggest I do about the validator requirement for the SegmentFetcher? https://github.com/named-data/ndn-cxx/blob/09236c2b8d6d39218d22cdd5dd8d9bf9e5a1f352/ndn-cxx/util/segment-fetcher.hpp#L161

#11

Updated by Alex Afanasyev 7 months ago

Use ValidatorNull, though yes, you still need to create and keep an instance of it in the tag.

Also available in: Atom PDF